New issue
Advanced search Search tips

Issue 608104 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: May 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: Heap-use-after-free in RuntimeCustomBindings::GetExtensionViews

Project Member Reported by rob@robwu.nl, Apr 29 2016

Issue description

Chrome version: 50.0.2661.75

RuntimeCustomBindings::GetExtensionViews retrieves a vector of RenderFrame*s of the current extension, and stores each item in a v8::Array. But the extension can intercept the setter for a numeric index (e.g. 0), destroy the RenderFrame and cause a UAF. Oops.

To reproduce, just load the attached extension (manifest.json & background.js).
The extension does not need any permissions.
 
manifest.json
162 bytes View Download
background.js
1.7 KB View Download
asan-uaf-getViews-50.0.2661.75.log
27.7 KB View Download

Comment 1 by rob@robwu.nl, Apr 30 2016

Cc: rdevlin....@chromium.org
Owner: rob@robwu.nl
Status: Started (was: Unconfirmed)
Patch: https://codereview.chromium.org/1935953002/ (locally verified)
Labels: Security_Severity-High M-50 Security_Impact-Stable Pri-1
Project Member

Comment 3 by bugdroid1@chromium.org, May 2 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/aa7a889002dd7a1288cc5e962086e517131fb01e

commit aa7a889002dd7a1288cc5e962086e517131fb01e
Author: rob <rob@robwu.nl>
Date: Mon May 02 16:18:37 2016

Create array of extension views without side effects

BUG= 608104 

Review-Url: https://codereview.chromium.org/1935953002
Cr-Commit-Position: refs/heads/master@{#390961}

[modify] https://crrev.com/aa7a889002dd7a1288cc5e962086e517131fb01e/extensions/renderer/runtime_custom_bindings.cc

Comment 4 by rob@robwu.nl, May 3 2016

Labels: Merge-Request-51
Status: Fixed (was: Started)

Comment 5 by tin...@google.com, May 3 2016

Labels: -Merge-Request-51 Merge-Approved-51 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M51 (branch: 2704)
Please merge your change to M51 branch 2704 by 4:00 PM PST today so we can take it for this week beta release tomorrow.Thank you.
Project Member

Comment 7 by ClusterFuzz, May 3 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 8 by bugdroid1@chromium.org, May 3 2016

Labels: -merge-approved-51 merge-merged-2704
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3d0effb3db93713cafeea3bc81231403b5cba018

commit 3d0effb3db93713cafeea3bc81231403b5cba018
Author: Rob Wu <rob@robwu.nl>
Date: Tue May 03 21:23:08 2016

Create array of extension views without side effects

BUG= 608104 

Review-Url: https://codereview.chromium.org/1935953002
Cr-Commit-Position: refs/heads/master@{#390961}
(cherry picked from commit aa7a889002dd7a1288cc5e962086e517131fb01e)

Review URL: https://codereview.chromium.org/1948773002 .

Cr-Commit-Position: refs/branch-heads/2704@{#362}
Cr-Branched-From: 6e53600def8f60d8c632fadc70d7c1939ccea347-refs/heads/master@{#386251}

[modify] https://crrev.com/3d0effb3db93713cafeea3bc81231403b5cba018/extensions/renderer/runtime_custom_bindings.cc

Labels: reward-topanel

Comment 10 by rob@robwu.nl, May 29 2016

Labels: -M-50 M-51
Labels: Release-1-M51
Labels: -Security_Severity-High Security_Severity-Medium
Updating severity.
Labels: -reward-topanel reward-1500 reward-unpaid CVE-2016-1700
$1,500 here Rob ($1000 for the report, +$500 for the patch). Cheers as always!
Labels: -reward-unpaid reward-inprocess
Project Member

Comment 15 by sheriffbot@chromium.org, Aug 9 2016

Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 16 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 17 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment